The Digital Personal Data Protection (DPDP) rules, a landmark law that will determine the privacy and how information of Indian citizens online is managed, is on its last leg of processes before being implemented. The IT ministry released the draft rules to the public Friday night, with feedback invited on the MyGov portal from stakeholders till February 18.
After incorporating any updates that may come up during the public feedback and consultation stage, the new law is set to be notified, perhaps taking effect as early as April 1.
“[This] is a landmark initiative designed to protect the personally identifiable information of Indian citizens while fostering trust in the country’s thriving digital ecosystem, said Ruchin Kumar, vice president (South Asia) of Futurex, a leading enterprise data security firm. “By introducing stringent regulations, it seeks to revamp how organizations collect, store, share, and process personal data.”
From the present state of the draft law, individual digital users, called ‘Data Principals’, will have greater control over their personal information, with provisions like explicit consent requirements and the right to access, correct and erase data.
At the same time, ‘data fiduciaries’, the likes of websites and apps who collect the data, have to obtain consent from users, informing them what data they are collecting and why they are collecting it. They have to ensure the data is secure and inform if and when data breaches take place. They also need to institute data protection officers within their fold, who will have to conduct audits to ensure the new rules are being effectively implemented.
The draft calls for the setting up of a Data Protection Board of India, which has yet to be set up, as well as consent managers who will collect data under prescribed formats.
A possible bigger challenge would be the major procedural implementations across businesses across the country to deal with the new law’s provisions, which could possibly delay or even trip it up in the initial stages. This ranges from data processors or consent managers to “strong encryption for data both at rest and in transit, with advanced encryption algorithms and secure protocols,” according to Kumar of Futerex.
“We foresee that businesses will face some complex challenges in managing consent as it forms the heart of the law,” said Mayuran Palanisamy, partner, Deloitte India, adding how it will require companies to make “changes at the design and architecture level of applications and platforms.”
All this will require investments in technology and processes, as well as workforce training. “The expectation was that the rules would address implementation challenges, procedural gaps, and areas where the Act required further clarity...(but) there is still significant ground to cover,” pointed out Shreya Suri, partner with the law firm IndusLaw.
Though supposed to be modelled on the GDPR rules of Europe, India’s own DPDP took years—despite a report instituted by the government laying down a format modelled on the European rules, the first draft of India’s Data Protection bill had caused an uproar inside and outside Parliament, with the sweeping powers it gave governmental agencies to tap and use private data. The bill was then sent to a parliamentary committee, which was also not without drama. Finally passed by the Parliament in 2023 and even the President giving her assent months ago, the government had taken its own sweet time deliberating and fine-tuning the provisions.
